Those companies were not created to solve those problems, but to profit by them. Do you think that, say, Cloudflare would like a better web protocol which would be impossible to DDoS?
If such a thing was possible we'd be the first to roll it out. DDoS is a scourge which is why we made DDoS mitigation unmetered on all plans including free: https://blog.cloudflare.com/unmetered-mitigation/
I wonder if DDoS could be solved (for static websites at least) by using P2P as a supplementary load balancer.
This could be set to only be enabled if load is approaching a certain percent of capacity that the servers/CDN are able to handle.
Once reaching that threshold, P2P would kick in, and existing visitors could serve static content to newer visitors using something like the WebRTC + Service Worker + IndexedDB combo that www.arc.io uses for their P2P CDN.
I’ve looked at P2P CDNs over the years and they seem to be solving the wrong problem. At scale bandwidth isn’t a problem it’s recognizing the DDoS and filtering it while letting through legitimate traffic to a dynamic website or API. That’s complex. Not saying it can’t be done in a P2P manner but it’s hard.
By making it free though you’ve disincentivized fixing it. It’s awfully coincidental that the current leading solution to DDoS for people running websites is “use cloudflare”.
Cloudflare has absolutely no reason to invest in solving DDoS because the existence of them is one of your best sales leads. DDoSes are cancer and you run a cancer treatment center. Gotta make sure you can treat cancer well but you wouldn’t want people to avoid it in the first place.
What short term thinking that would be! That's how companies die. They get captured by their customers and markets and they can't see change coming.
Imagine if Cloudflare stubbornly stuck to providing DDoS services and never considered the idea that there might be a solution to DDoS at the protocol level. We'd die if someone else came up with the technical solution to DDoS. So, it would both be better for the Internet and better for us if we were involved in killing off DDoS at whatever level possible.
For example, on the network level we've pushed for BCP-38 over and over again to deal with spoofing. RFC 2267 is 24 years old (https://www.rfc-editor.org/info/rfc2267)! But, yeah, sure, Cloudflare that is half that age is keeping all those DDoS attacks happening because they love the smell of $$$. Give me a fucking break.
I long ago made bcp38 and fq_codel available in openwrt. It would be great if cloudflare told more customers what better home routers they could use as a base.
We also solved the bcp38-like problem ipv6 had by using source specific routing throughout openwrt. A lot of other router makers are still not doing this right. Turris gets it right, I know.
> We'd die if someone else came up with the technical solution
This reasoning does not prevent Google from slowly making itself irrelevant by changing the web to such an extent as to make its search algorithm impossible to get any useful results from.
> For example, on the network level we've pushed for BCP-38 over and over again to deal with spoofing.
That is a point in your favor, I will concede.
> Give me a fucking break.
Cloudflare is a huge company with more and more power over the entire internet, and it is constantly urging people to only use the internet through Cloudflare, in numerous ways. You do not get a “fucking break”.
“It’s not possible to solve this problem, except by centralizing all the web through us. Aren’t we generous to not punish our customers when they get hit by this problem?”
Perhaps not, but it is how I interpreted it. Cloudflare is a force for centralization, and has every incentive to remain that way. I don’t see how that could change.
I see that similarly to Google backing Firefox. On the surface, it seems odd, but probably has some shrewd reason for it, and it would probably cease the moment the backed project got any real traction.
How would a web protocol solve this? Even if you were to create an internet protocol to counter DDoS attacks by allowing destination IP addresses to request hardware accelerated IP bans of abusive source addresses you still are stuck with a hardware and authorization problem.
Even if you properly implement this system, network operators will expose themselves to firewall DDoS attacks by malicious actors that are trying to fill the firewall blacklists with garbage.
We've reached counter counter DDoS warfare. What do you do now?
